From: Remco van 't Veer <remco@remworks.net>
To: Csepp <raingloom@riseup.net>
Cc: 55358@debbugs.gnu.org,
Maxim Cournoyer <maxim.cournoyer@gmail.com>,
zimoun <zimon.toutoune@gmail.com>,
guix-devel@gnu.org
Subject: Re: bug#55358: docker containers stopped when doing guix install or guix shell
Date: Tue, 23 May 2023 09:53:35 +0200 [thread overview]
Message-ID: <87ilcjmqkg.fsf@remworks.net> (raw)
In-Reply-To: <87fs7st0m3.fsf@riseup.net>
Hi Csepp,
2023/05/20 00:29, Csepp:
> Remco van 't Veer <remco@remworks.net> writes:
>
>> Hi Maxim and Zimoun,
>>
>> 2023/02/09 13:26, Remco van 't Veer:
>>
>>> I think I know what is causing the issue. Both the "standard" mysql and
>>> postgres containers use user-id 999 to run the database service (this
>>> seems like a common practice because the redis container is configured
>>> similarly). That user-id is also configured as guixbuilder01 so I guess
>>> the guix daemon is killing those when processes when it finishes doing
>>> builds.
>>
>> I found a solution / workaround for this problem by using
>> "userns-remap". This feature allows the remapping of uids and guids to
>> different ranges. I tried it by hacking the required files into my
>> etc-directory and it works; guix no long kills my database containers.
>>
>> I'd like to add this feature to docker-service-type having a new
>> configuration option named enable-userns-remap? which introduces a new
>> user and group (both named dockremap) to do the remapping by adding some
>> configurable number to the uids and guids of the running container. In
>> /etc/subuid and /etc/subgid it would look like:
>>
>> dockremap:100000:65536
>>
>> See https://docs.docker.com/engine/security/userns-remap/ for
>> documentation about this.
>>
>> WDYT?
>>
>> Cheers,
>> Remco
>
> The rootless podman example that was shared a few months ago could be
> relevant to this, since that also adds a subuid/subgid mapping.
Thanks! Borrowed that.
For future reference:
https://lists.gnu.org/archive/html/guix-devel/2023-03/msg00176.html
Cheers,
Remco
next prev parent reply other threads:[~2023-05-23 7:54 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <87ilqch79l.fsf@remworks.net>
[not found] ` <87mtde8mrr.fsf@gmail.com>
[not found] ` <87h73m9z3f.fsf@remworks.net>
[not found] ` <875ycb6n3w.fsf@remworks.net>
2023-05-19 15:50 ` bug#55358: docker containers stopped when doing guix install or guix shell Remco van 't Veer
2023-05-19 22:29 ` Csepp
2023-05-23 7:53 ` Remco van 't Veer [this message]
2023-05-23 7:49 ` [PATCH] services: docker: Add 'enable-userns-remap?' argument Remco van 't Veer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ilcjmqkg.fsf@remworks.net \
--to=remco@remworks.net \
--cc=55358@debbugs.gnu.org \
--cc=guix-devel@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=raingloom@riseup.net \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).